Category: Uncategorized

Buster forces a move to nftables, unfortunately fail2ban thinks it’s still using iptables, so nothing gets blocked. To fix ….

(fail2ban in Buster also seems to require systemd – and no longer reads from e.g. /var/log/mail.log, which is a bit disappointing but oh well…)

After messing about trying to get nftables working – where trying to use the default /etc/nftables.conf file just results in an error a bit like :

/etc/nftables.conf:6:15-19: Error: Could not process rule: No such file or directory

        chain input {

I gave up, and found the Debian Wiki Page which gives :

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Which now allows fail2ban to actualy block things (via /var/log/fail2ban.log etc).

When trying to use these new fangled things on Debian (Stretch) I needed to edit/create /etc/udev/rules.d/titan.rules and put in it something like the following – else nothing happens when you try using them …

KERNEL=="hidraw", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0858", TAG+="uaccess", GROUP="plugdev", MODE="0660"
KERNEL=="hidraw", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="085b", TAG+="uaccess", GROUP="plugdev", MODE="0660"

This is based on e.g. the ‘dmesg’ output looking something like this for the bluetooth/usb variant :

usb 1-2: new full-speed USB device number 46 using xhci_hcd
usb 1-2: New USB device found, idVendor=096e, idProduct=085b, bcdDevice=35.02
usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-2: Product: ePass FIDO
usb 1-2: Manufacturer: FS

and this for the plain USB YubiKey like one :

usb 1-1: new full-speed USB device number 47 using xhci_hcd
usb 1-1: New USB device found, idVendor=096e, idProduct=0858, bcdDevice=46.00
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1: Product: U2F
usb 1-1: Manufacturer: FT
hid-generic 0003:096E:0858.0014: hiddev3,hidraw4: USB HID v1.00 Device [FT U2F] on usb-0000:00:14.0-1/input0 

Alternatively, you can just download a udev config file from https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules and stick it in /dev/udev/rules.d and run ‘udevadm control –reload‘

This might help my future self :

SELECT username, password into outfile '/tmp/passwords.txt' fields terminated by ':' optionally enclosed by '' lines terminated by '\n' from mailbox where mailbox.active = 1;

and then :

john /tmp/passwords.txt ….

e.g.

root@mail:~# john /tmp/passwords.txt 
Created directory: /root/.john
Loaded 2327 password hashes with 2326 different salts (md5crypt [MD5 32/64 X2])
Press 'q' or Ctrl-C to abort, almost any other key for status
(vulnerablePassword) whoopsy@example.com

I think the spammers need some help with their regular expressions….

1. See http://github.com/palepurple/policyd-weight – I’m trying to make some changes to policyd-weight (something I’ve been using for ages) to make it more configurable and add in a GeoIP patch which I’ve seen floating around.

2. See https://twitter.com/excommunicado and http://blog.hinterlands.org/2013/11/an-update-on-communicado/ – for a DNS Blacklist you might want to use –  using excommunicado.co.uk as a RHSBL has stopped about 700 spammy emails for me already 🙂

3. See https://github.com/palepurple/policyd-dnsbl-spf-geoip – which should improve on policyd-weight which gave me problems with it’s helo checking etc. It’s easier to configure and hopefully far easier to read the sourcecode  (still perl though ! ).

And a new theme. Perhaps one day I’ll fix my twitter sync script.

In the mean time, there’s a bit on Solr on Pale Purple’s blog. along with SpamDyke to stop Qmail being overrun by spam.

Recently on the Twitter the following (attached) image came up – presumably legit, of a job advert. Highlights below. It’s almost like someone cut and pasted two job postings together. The phone number does appear to be legit … so perhaps the advert itself is?

Continue reading “Wanted: Developer with interesting skills…. oh, and it’s for the minimum wage… (Is this a joke?)”

One of my customers uses Akismet to protect his various blogs from the masses of spam.

Oddly torwards the end of last week, Akismet started to identify everything as spam, with no error message being returned on check of spam, and the admin dashboard showing the api key/akismet were happy.

I initially thought that perhaps Akismet was just having a bad day, and the problem would go away in a few hours/days time – but this hasn’t been the case. So today, I added in a WordPress plugin to debug the HTTP calls to Akismet to see if that would help identify the problem.

add_action( 'http_api_debug', '_custom_http_api_debug', 10, 5 );

function _custom_http_api_debug( $response, $type, $class, $args, $url ) {    
    error_log( 'Request URL: ' . var_export( $url, true ) );
    error_log( 'Request Args: ' . var_export( $args, true ) );
    error_log( 'Request Response : ' . var_export( $response, true ) );
}

i.e. for a message which was known to be spam :

• http post to : http://xxxx.rest.akismet.com/1.1/comment-check
• Response body of ‘true’ (HTTP 200 status code etc) (which is correct as per http://akismet.com/development/api/#comment-check )

However, what gave me an idea that something was amiss is that if an administrator attempted to mark an incorrectly tagged comment as ham, the following was seen –

• Post to http://xxxxx.rest.akismet.com/1.1/submit-ham
• Response body of ‘Invalid Key’